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1. A safety verification device of a reactive system 
represented by a set of function symbols, a set of rewriting 
rules, a set of axioms, a set of terms, and a set of terms to be 

5 verified, 

said set of axioms being a set consisting only a 
commutative law and an associative law, and 

said safety verification device of a reactive system 

comprising: 

10 a translation unit generating, under said set of axioms, 

a first equational tree automaton which accepts said set of terms, 

a simulation unit generating, under said set of 
rewriting rules and said set of axioms and using said first 
equational tree automaton as initial data, a second equational 

15 tree automaton which accepts said set of terms and a set 
comprising terms derived from said set of terms, and 

a set operation unit which generates a fourth 
equational tree automaton by associating said second equational 
tree automaton with a third equational tree automaton which 

20 accepts said set of terms to be verified and determines whether 
or not a set accepted by the fourth equational tree automaton is 
an empty set. 

2. A safety verification device of a reactive system 
25 represented by a set of function symbols, a set of rewriting 

rules, a set of axioms, a set of terms, and a term to be verified, 
said set of axioms being a set consisting only a 

commutative law and an associative law, and 

said safety verification device of a reactive system 

30 comprising : 

a translation unit generating, under said set of axioms, 
a first equational tree automaton which accepts said set of terms, 

a simulation unit generating, under said set of 
rewriting rules and said set of axioms and using said first 
35 equational tree automaton as initial data, a second equational 
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tree automaton which accepts said set of terms and a set 
comprising terms derived from said set of terms, and 

a set operation unit determining whether or not said 
second equational tree automaton accepts said term to be verified. 

3. A safety verification device of a reactive system 
according to claim 1 or 2, wherein said set of function symbols 
is a set comprising function symbols representing encryption, 
decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an 
element a rule representing that encrypted information is 
returned to plaintext by decryption, 

said term to be verified is confidential information, 

and 

said set of terms is a set of knowledge of each of 
subjects that exchange confidential information, and a set of 
knowledge of a subject that monitors the information exchanged 
between said subjects. 

20 4. A safety verification method of a reactive system 

represented by a set of function symbols, a set of rewriting 
rules, a set of axioms, a set of terms, and a set of terms to be 
verified, 

said set of axioms being a set consisting only a 
25 commutative law and an associative law, and 
said method comprising: 

a first step of generating, under said set of axioms, a 
first equational tree automaton which accepts said set of terms, 
a second step of generating, under said set of 
30 rewriting rules and said set of axioms and using said first 

equational tree automaton as initial data, a second equational 
tree automaton which accepts said set of terms and a set of terms 
derived from said set of terms, and 

a third step of generating a fourth equational tree 
35 automaton by associating said second equational tree automaton 
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with a third equational tree automaton which accepts said set of 
terms to be verified and determining whether or not a set 
accepted by the fourth equational tree automaton is an empty set. 

5 5. A safety verification method of a reactive system 

represented by a set of function symbols , a set of rewriting 
rules, a set of axioms, a set of terms, and a term to be verified, 

said set of axioms being a set consisting only a 
commutative law and an associative law, and 
10 said method comprising: 

a first step of generating, under said set of axioms, a 
first equational tree automaton which accepts said set of terms, 

a second step of generating, under said set of 
rewriting rules and said set of axioms and using said first 
15 equational tree automaton as initial data, a second equational 

tree automaton which accepts said set of terms and a set of terms 
derived from said set of terms, and 

a third step of determining whether or not said second 
equational tree automaton accepts said term to be verified. 

20 

6. A safety verification method of a reactive system 
according to claim 4 or 5, wherein said set of function symbols 
is a set comprising function symbols representing encryption, 
decryption and communication processing as elements, 
25 said set of rewriting rules is a set comprising as an 

element a rule representing that encrypted information is 
returned to plaintext by decryption, 

said term to be verified is conf idential information, 

and 

30 said set of terms is a set of knowledge of each of 

subjects that exchange confidential information, and a set of 
knowledge of a subject that monitors the information exchanged 
between said subjects. 

35 7. A computer-readable recording medium containing a 
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reactive system safety verification computer program, comprising: 

a first program code which accepts an input of a 
procedure represented by a set of function symbols, a set of 
rewriting rules, a set of axioms, a set of terms, and a set of 
5 terras to be verified, 

a second program code which generates, under said set 
of axioms consisting only of a commutative law and an associative 
law, a first equational tree automaton which accepts said set of 
terms, 

10 a third program code which generates, under said set of 

rewriting rules and said set of axioms and using said first 
equational tree automaton as initial data, a second equational 
tree automaton which accepts said set of terms and a set of terms 
derived from said set of terms, and 

15 a fourth program code which generates a fourth 

equational tree automaton by associating said second equational 
tree automaton with a third equational tree automaton which 
accepts said set of terms to be verified and determines whether 
or not a set accepted by the fourth equational tree automaton is 

20 an empty set. 

8. A computer-readable recording medium containing a 
safety verification computer program, comprising: 

a first program code which accepts an input of a 
25 procedure represented by a set of function symbols, a set of 

rewriting rules, a set of axioms, a set of terms, and a term to 
be verified, 

a second program code which generates, under said set 
of axioms consisting only of a commutative law and an associative 
30 law, a first equational tree automaton which accepts said set of 
terms, 

a third program code which generates, under said set of 
rewriting rules and said set of axioms and using said first 
equational tree automaton as initial data, a second equational 
35 tree automaton which accepts said set of terms and a set of terms 
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derived from said set of terms, and 

a fourth program code which determines whether or not 
said second equational tree automaton accepts said term to be 
verified. 

5 

9. A computer-readable recording medium containing a 
reactive system safety verification computer program according to 
claim 7 or 8, wherein said set of function symbols is a set 
comprising function symbols representing encryption, decryption 

10 and communication processing as elements, 

said set of rewriting rules is a set comprising as an 
element a rule representing that encrypted information is 
returned to plaintext by decryption, 

said term to be verified is confidential information, 

15 and 

said set of terms is a set of knowledge of each of 
subjects that exchange confidential information, and a set of 
knowledge of a subject that monitors the information exchanged 
between said subjects. 

20 

10. A computer program data signal embodied in a 
carrier wave for reactive system safety verification, comprising: 

a first program code which accepts an input of a 
procedure represented by a set of function symbols, a set of 
25 rewriting rules, a set of axioms, a set of terms, and a set of 
terms to be verified, 

a second program code which generates, under said set 
of axioms consisting only of a commutative law and an associative 
law, a first equational tree automaton which accepts said set of 
30 terms, 

a third program code which generates, under said set of 
rewriting rules and said set of axioms and using said first 
equational tree automaton as initial data, a second equational 
tree automaton which accepts said set of terms and a set of terms 
35 derived from said set of terms, and 
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a fourth program code which generates a fourth 
equational tree automaton by associating said second equational 
tree automaton with a third equational tree automaton which 
accepts said set of terms to be verified and determines whether 
5 or not a set accepted by the fourth equational tree automaton is 
an empty set. 

11. A computer program data signal embodied in a 
carrier wave for reactive system safety verification, comprising: 

10 a first program code which accepts an input of a 

procedure represented by a set of function symbols, a set of 
rewriting rules, a set of axioms, a set of terms, and a term to 
be verified, 

a second program code which generates, under said set 
15 of axioms consisting only of a commutative law and an associative 
law, a first equational tree automaton which accepts said set of 
terms, 

a third program code which generates, under said set of 
rewriting rules and said set of axioms and using said first 
20 equational tree automaton as initial data, a second equational 

tree automaton which accepts said set of terms and a set of terms 
derived from said set of terms, and 

a fourth program code which determines whether or not 
said second equational tree automaton accepts said term to be 
25 verified. 

12. A computer program data signal embodied in a 
carrier wave for reactive system safety verification according to 
claim 10 or 11, wherein said set of function symbols is a set 

30 comprising function symbols representing encryption, decryption 

and communication processing as elements, 

said set of rewriting rules is a set comprising as an 

element a rule representing that encrypted information is 

returned to plaintext by decryption, 
35 said term to be verified is confidential information. 



# 



-35- 

and 

said set of terms is a set of knowledge of each of 
subjects that exchange confidential information, and a set of 
knowledge of a subject that monitors the information exchanged 
between said subjects. 



